It all started with a troll on Facebook. “SIngh Boobshow Dance” on YouTube. With a URL tacked on. Checking the connections to this site demonstrates an interesting “ephemeral” sort of advertising of a site that has malicious content available (whether intentionally or as a result of a hacked server.)
But hey, who can pass up a video with a name like that:
Good grief in Three months it’s gotten nearly 20,000 views according to YouTube.
(click graphic to enlarge)
And we have the MyHotSite.net URL advertised on top of the video of the jiggle dance show.
Click to enlarge graphic (he he).
And advertised, and advertised and advertised…
((Click graphic to enlarge)
So we finally take the hint and go to the site
Oh, I need an additional plugin for Firefox? Funny, that’s a .pdf file the site seems to want to download.
(Click graphic to enlarge)
VIPRE thought it was funny too. Now it is possible that the file was uploaded to the MyHotSite.net server by a malicious operator.
(Click graphic to enlarge)
VIPRE says it’s a downloader: “Exploit.PDF-JS.Gen (v) is a detection for threats that exploit a security flaw in PDF files with embedded JavaScript that often installs downloaders that retrieve further malware from remote Web sites.”
What did it want to download? You can be sure it wasn’t good, but the site (or code placed on it) clearly had measures set up to offer the malcode only on a visitor’s first visit, so an analyst couldn’t go any further.
The video that was the original lure in all of this might have been swiped from an Indian news site IndiaInteracts.com since its URL appears amid the boobs dancing girls.
But back to the original source of the URL.
Taqi Quresshi doesn’t exist on Facebook.
How about a search for Web pages that link to MyHotSite.net? Only one page links to it in the whole wide world – a Facebook page according to Google:
(Click graphic to enlarge)
Asep Tian, whose page no longer exists anywhere except Google’s cache, had text in Indonesian and, of course a link to MyHotSite.net.
Bottom line: beware of those URL’s that show up in social media and in videos. In graphics – such as videos — they can’t be found by search engines looking for the links to malicious sites.
Tom Kelchner